Roundtable Insights: Cyber security and Financial Services

Make it More than a Box-Ticking Exercise

Cyber-attacks continue to evolve and are becoming more frequent and widespread in the financial services sector. We asked experts from BMIT, Continent 8 Technologies, Grant Thornton and RSM to share their thoughts about the state of cybersecurity in the financial services industry and highlight best practices.

Brian Borysewich - Chief Information Security Officer, Continent 8 Technologies

Klaire Caritos - Manager IT & Business Risk Services, Grant Thornton Malta

Ivan Galea - Product Manager, BMIT Technologies

Gordon Micallef - Partner, RSM Malta

How would you characterise the extent and nature of the cyber risks currently facing financial organisations in Malta?

Ivan Galea (BMIT Technologies): Cyber-attacks have been on a constant rise in all industries but specifically in the financial industry due to the sensitive data these organisations store. These organisations are becoming a bigger target as they continue to digitise their operations and services. Cyber-attacks can take many shapes, but they are constantly evolving as criminals find new techniques how to disrupt or steal data. These attacks have repercussions that lead to a substantial regulatory fines or lawsuits. But the repercussions do not stop there. Think about the reputational and the brand damage this may cause the business.Brian Borysewich (Continent 8 Technologies): The risks are even greater today than one year ago, and this is mainly due to the new methods of Ransomware delivery and injection into financial institution networks and servers. Cyber risks are now measured not only as cybersecurity vulnerabilities but also as cyber crimes and criminal activities specifically focused on stealing money and causing reputational brand damage.Ransomware has been very prevalent in the news over the last year with several high-profile, successful attacks. But now there are new vectors in the Ransomware attacks that no longer encrypt local devices or servers. Instead, the Ransomware group infiltrates the bank and then captures and exploits all of its data. They then contact the bank and tell them that all of their data is in their hands and unless a Bitcoin ransom is paid, the information will be made public.Malta specific attack threats are escalating due to the belief by hackers that the country – as well as other non-super-powers – do not have the resources to thwart the attacks and cyber exploitations. The reality is they do, but an education process needs to take place to better inform financial companies of the threats they face and how they can mitigate them.Gordon Micallef (RSM Malta): Cyber risks used to be linked with specific assets sitting in the server room, or maybe an application on the Cloud. With remote work becoming the norm and applications extending to user devices, the footprint that cybersecurity must cover has extended far wider than it ever did. Meanwhile, the nature of cyber risks is becoming less technical and increasingly social, with a majority of hacks involving interaction with employees and partners.Klaire Caritos (Grant Thornton): Given the sensitive and intrinsic value of data held by organisations in the financial services sector, there is high demand for this kind of data through infamous channels as the darknet, making the financial services sector a high-profile target for cybercriminals. Vulnerabilities hit at the core of a financial institution’s brand reputation and customer loyalty. When consumers and business customers place their trust and financial assets with a financial institution, reputation for information security is paramount.

"With remote work becoming the norm and applications extending to user devices, the footprint that cyber security must cover has extended far wider than it ever did." - Gordon Micallef Partner, RSM Malta

In your experience, are companies prepared to handle these cyber threats, and are they allocating sufficient resources to mitigate the risk?

Klaire Caritos (Grant Thornton): Cyber-attacks on financial services companies are increasingly diverse and therefore unpredictable. The financial services industry is constantly upping the game but there is no room for complacency. As attacks increase, financial institutions are under increased pressure be it driven by customer concern, regulatory supervision as well as principles of good governance to proactively, and not reactively, find solutions to mitigate cybersecurity risks. A comprehensive approach to address cybersecurity is clearly needed. Viewing cyber risk as an information-technology issue simply falls short of proper risk management. What is called for is an integrated risk management strategy, which addresses cybersecurity as part of an organisation’s holistic strategy, involving resources and activities of the entire organisation.Gordon Micallef (RSM Malta): This is such a hard one to nail down as cybersecurity is a catch and mouse game. As one improves the defences around the business, the criminals put increasingly more effort until they get to the weaker companies. This is about being better than your competitors so that the criminals find it easier to attack them instead of you. Ultimately, as long as the financial remuneration for this criminal activity is rewarding, the hackers will keep pumping more resources and effort into it. You just have to stay ahead of the game.Brian Borysewich (Continent 8 Technologies): The company or organisation’s ability to handle cyber threats really depends upon the level of commitment to the safety and security of the networks, servers, and employees. They should have the relevant policies and procedures in place and make these known to ALL employees. Banking organisations must also place cybersecurity in all areas of the services they offer. This includes areas such as software and application development with operational security built into the programmes.It is important they understand that cybersecurity cannot be simply solved with assessments and network border devices such as firewalls and DDoS. Instead, it requires a complete modelling of how applications and the bank are connected to the internet plus other companies and institutions. But risks are not limited to internet threats. They are also internal – around 80% of unintentional data exploitation comes from human error. For this reason, the cybersecurity plan must include mechanisms such as data loss protection, encryption, identity, and access management.

"Risks are not limited to internet threats. They are also internal – around 80% of unintentional data exploitation comes from human error." - Brian Borysewich Chief Information Security Officer, Continent 8 Technologies

Ivan Galea (BMIT Technologies): Businesses tend to take a very reactive approach to security due to two main factors: the cost of security and general awareness of security risks. We do, however, see slow progress from financial organisations, which are taking security more seriously by investing and adopting preventative security measures against these evolving threats. But this is mostly to satisfy new regulations set by industry authorities. We also have to keep in mind that certified and experienced people are very hard to come by, especially on a tiny island like Malta. This is why there are managed services providers and technologies to help and aid businesses to achieve a good security posture to mitigate and defend against these threats.

What steps need to be taken should an organisation fall victim to a cyber-attack?

Gordon Micallef (RSM Malta): Understand which assets have been compromised and ensure that forensic evidence is retained. This may include snapshots of virtual environments or physical hard disks. Take a lot of care to not mess about with the compromised computers, so that the experts can extract the necessary logs and attack footprints. Your continuity plans should come to fruition and the ability to re-building your assets against the target recovery time. Most importantly, make sure that someone is clearly responsible for communications, both internally to staff and externally to customers, partners and regulators.Ivan Galea (BMIT Technologies): Although it is tempting to delete all data and configurations to restore operations after a breach, it is crucial to preserve evidence to identify the initial threat and the criminals. Nevertheless, here are some initial key steps to take: Firstly, it is important to report the incident to the authorities and your service provider for additional assistance and investigation. Identify the compromised devices and identities, and make sure to quarantine them from your IT infrastructure/network. Then disconnect your business from the internet and disable remote access to your infrastructure. Next is changing passwords. Create new strong passwords for all devices and identities. Then you should scan and install all the latest patches and firmware on your infrastructure and technologies. Lastly, it’s important not to change your firewall or security settings before the breach has been analysed and investigated.

"Although it is tempting to delete all data and configurations to restore operations after a breach, it is crucial to preserve evidence to identify the initial threat and the criminals." - Ivan Galea Product Manager, BMIT Technologies

Brian Borysewich (Continent 8 Technologies): I agree. The most important action is to isolate and remove the affected system or systems from the network. Do not, I repeat, do not shut the system off as there will be valuable data for forensic studies of the attack. Cybersecurity policies and procedures should have an escalation chain of command that involves leadership and bank board members. They should also include what information and disclosure are made to the public and news organisations. Processes must also be in place for notifying customers or organisations that may be directly or indirectly affected by the breach – this should include what data has been disclosed. The final step is to then bring in forensic and cybersecurity experts to analyse and determine the threat vectors used and the data loss that may have occurred.Klaire Caritos (Grant Thornton): Following a breach, it is important to perform a post-incident review to identify weaknesses that would have led to the breach, planning an action plan to address such shortfalls, as well as an assessment of the effectiveness of the incident response plan. Victims are to promptly engage with Law Enforcement authorities, and any other remediation support entity, immediately upon discovery of the breach, maintaining an open channel of communication and providing details as to the threat assessment to allow for containment of the breach and to inform any future victims. It is critical to the success of a business to integrate cybersecurity into its strategic objectives and to ensure that cybersecurity roles are defined in its organizational structure.

What essential tips and best practice can you share that will help financial services firms to enhance their cybersecurity processes, policies, and procedures?

Gordon Micallef (RSM Malta): So many still think that policies and procedures are static documents. In practice, they need to ‘turn alive’ into a pragmatic business process that businesses operate by in their day-to-day activities as second nature. Dry run security testing such as vulnerability testing, simulated phishing, and BCP tests. The lessons you learn from such exercises are so valuable.Brian Borysewich (Continent 8 Technologies): They must first establish clear and concise policies and procedures across all 20 critical security controls. This should then be supported by an in-house or third-party Security Operations Centre (SOC) to monitor and protect the environment. It goes without saying that data must be encrypted and protected as per the guidelines set out under GDPR and PCI; banks should also establish a strong identity and access management system for the data being held. We also recommend that banks undertake quarterly vulnerability and penetration testing (VAPT) and then put in place action and remediation plans based on the VAPT findings. This should be done alongside risk assessments and risk studies that include social engineering assessments. While it is not possible to stop all breaches or exploits, having a solid foundation for encryption minimises the disclosure risks to bad actors.Klaire Caritos (Grant Thornton): Cybersecurity starts with people. Address the organisational challenges with decisive actions that recognise cybersecurity as a strategic business problem, not just an “IT problem”. Beyond awareness, everyone has an active role to play, including business executives, risk, compliance and audit professionals, operational teams, legal, and others. Cybersecurity risk management is a team effort and is everyone’s responsibility, from the boardroom to the front line to ensure a consistent and systematically robust organisation.

"Cybersecurity risk management is a team effort and is everyone’s responsibility, from the boardroom to the front line to ensure a consistent and systematically robust organisation." - Klaire Caritos Manager IT & Business Risk Services, Grant Thornton Malta

Ivan Galea (BMIT Technologies): A business should start with having a robust security policy to minimise the threats, as well as a disaster recovery plan or a security incident response procedure to follow in case of a security breach. Financial businesses should also engage services providers or advisories to create a security strategy plan, perform risk assessments and tap into their knowledge and expertise on cyber-attacks. Most importantly, businesses should have 'security' forged into their yearly budget.We also recommend getting certified on International Standards such as ISO27001 and PCI-DSS. These standards meet the minimum requirements for security and help you shape your security posture. Engaging a service provider will also allow you to see what additional security measures can be taken and deployed. Companies should also perform regular – minimum twice a year – security audits and assessments to exploit vulnerabilities and risks, and act on them before it is too late. Lastly, we recommend adopting strong user identity security and user authentication methods on all systems. A substantial percentage of data breaches are mostly related to weak authentication methods.

Where do you see cybersecurity three to five years from now?

Ivan Galea (BMIT Technologies): Cyber-attacks will not go away any time soon or even decrease in popularity. It is a new era of digital criminals. Cybersecurity is a game of cat and mouse; thus a proactive approach is required from financial businesses. Making sure they are security-aware and prepared for any eventuality.We, as a service provider, saw a big boost in 2020 from our partners as they created technologies and solutions using 'Zero Trust' and AI/machine learning within cyber threat intelligence capabilities to stay ahead of the attackers and protect businesses. AI will start featuring more in cybersecurity as we continue to digitise and grow our data. AI has also become crucial in analyses, detection, and response.Klaire Caritos (Grant Thornton): As technology evolves, education and training will make a difference. Once all levels of an organisation take data security seriously and understand the risks faced with poor data handling, insider threats will begin to decrease. In the coming years, many organisations are also likely to move away from traditional prevention models and focus on protection-based security models. Organisations’ measures will take the form of regular and proactive auditing and monitoring of access to critical systems and data.Gordon Micallef (RSM Malta): We see a convergence of security products that simplifies the technical platforms. At the same time, this will undoubtedly lower the cost of services and make applications available to small businesses that were previously out of reach to many organisations, including Intrusion Detection and Prevention, SIEM, and next-gen adaptable Identity Management solutions.Brian Borysewich (Continent 8 Technologies): We expect cybersecurity will morph its way into a hybrid with cybercrimes. Bad actors will no longer be content with stealing credit card or account information. They will escalate into seeking destruction and even inducing wars. Due to public and private cloud computing systems, the risks are greater. With cloud environments, you are no longer the custodian of your environment and are dependent solely on the vendor’s ability to protect your processing and storage systems. What’s more, cyber-attacks and threat vectors are no longer people sitting behind a monitor eating chips and sipping a drink. They are launched by highly skilled cybercriminals using BOT’s and Artificial Intelligence (AI) as the attack platform. The combination of BOTs plus AI and the ability to mutate the attack method in real-time requires “new thinking” in cybersecurity practices and methods. Organisations must realise that previous “checkbox security” will no longer suffice.